Finding "buffer used as sprintf target"

[atwilso]

I'm working on a simple taint analysis problem and I've hit a wall. I could use more eyes on this. I'm using the VS Code CodeQL extension with CodeQL CLI v2.7.3.

Context: I'm working with the Exim database from LGTM. Exim has a global variable unsigned char *big_buffer (globals.h:367) that gets used as an output buffer for sprintf, as in the following snippet:

uschar *p;
p = big_buffer;
p += sprintf(CS p, "pid=%d", (int)queue_run_pid);

Here's the query I'm trying to run:

predicate isBigBufferAccess(VariableAccess access) {
    exists(Variable v |
        access.getTarget() = v
        and v.getName() = "big_buffer"
        )
}

predicate isSprintfCall(FunctionCall call) {
    call.getTarget().hasGlobalOrStdName("sprintf")
}

class BigBufferFlow extends TaintTracking::Configuration {
    BigBufferFlow() { this = "big_buffer_flow_to_sprintf" }

    override predicate isSource(DataFlow::Node arg) {
        exists(Assignment a |
            a = arg.asExpr()
            and isBigBufferAccess(a.getRValue())
        )
    }

    override predicate isSink(DataFlow::Node arg) {
        exists(FunctionCall call, VariableAccess access |
            isSprintfCall(call) 
            and call.getArgument(0).(VariableAccess) = access
            and arg.asExpr().(VariableAccess) = access
            )
    }
}

from BigBufferFlow config, DataFlow::Node source, DataFlow::Node sink
where config.hasFlow(source, sink)
select sink, source, sink,
   "big_buffer descendant $@ and $@",
   source, "assigned here",
   sink, "used in sprintf here"

My query (included below) returns no results and I don't understand why. Running Quick Evaluation on the isSource and isSink predicates turns up the source node (p = big_buffer) and the sink node (sprintf(CS p, ...)). What am I missing here?

[MathiasVP]

I think you'll get the results you want if you select the right-hand side of the assignment as your source (instead of the assignment itself):

  override predicate isSource(DataFlow::Node arg) {
    exists(Assignment a |
      a.getRValue() = arg.asExpr() and
      isBigBufferAccess(a.getRValue())
    )
  }